Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal Forwarder not sending data to indexer after successful connection

RecoMark0
Path Finder
‎07-08-2016 05:39 PM

Hello,
I have a setup that consists of a Search Head and 2 indexers in a cluster. I also use a self signed SSL certificate between the indexers and my universal forwarders.

For some reason, my UF is able to connect to the indexers, but no data is sent.
07-09-2016 00:21:15.670 +0000 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997

  1. My test logs directly on the indexers were sent to the search head without issue.
  2. running splunk list monitor on the UF lists all the logs I want to monitor
  3. No errors in splunkd.log on the UF that I can see, just the usual warnings I get in my duplicate setup in another enviornment that IS working.
  4. No errors in metrics.log on the UF either.

  5. On the Indexer is this warning:

    WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Jul 8 20:30:38 2016). Context: source::\\s$\Logs\service.log|host::|Service Logs|174315

What else can I test to pinpoint my issue?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎07-10-2016 07:09 AM

The "official" documentation to debug such a case at I can't find my data!

View solution in original post

Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎07-10-2016 07:09 AM

The "official" documentation to debug such a case at I can't find my data!

Reply
Solved! Jump to solution

RecoMark0
Path Finder
‎07-11-2016 08:06 AM

Sigh, I forgot to add the index my inputs.conf was going to, to the admin role "indexes searched by default". Sorry for wasting everyone's time! Rookie mistake.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-11-2016 08:16 AM

It's all good - we all make all sorts of mistakes...

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-10-2016 06:16 AM

You have a linebreaking/merging problem or a timestamping problem (the former often causes the latter). We need to see a few sample log events and your inputs.conf and props.conf files.

Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-08-2016 07:54 PM

It's possible that the timestamp recognition is not working as expected and the events are indexed with an old timestamp.
Have you tried setting the time range to 'all time' and see if there are any events from this forwarder?

Try | metadata type=hosts index=* to see if the host is connected

Also have a look at http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...